[SingCERT] Apache Struts2 Possible Remote Code Execution

Apache Struts is an open source project of the Apache Foundation Jakarta project team which adopts a MVC framework for developers to develop Java web applications.

Apache Struts is exposed to a high-risk remote command execution (RCE) vulnerability. It has been reported that the vulnerability is being actively exploited on a wide scale since it is relatively easy to exploit. SingCERT has found numerous unpatched Apache Struts websites in Singapore that are affected. There are potentially many more websites that have not been patched and are therefore vulnerable.

Affected Software

Apache Struts 2.3.5 – 2.3.31

Apache Struts 2.5 – 2.5.10

Impact
The RCE vulnerability exists in its Jakarta Multipart parser due to improper handling of the Content-Type header. An attacker performs RCE attack with a malicious Content-Type value to trigger this vulnerability, and then execute the system command.

More details on this vulnerability can be found in reference links below.

Recommendation
Website owners using Apache Struts software should immediately verify their software version to ensure that they are not vulnerable. Those who are using affected softwares are advised to update to Apache Struts (2.3.32 / 2.5.10.1 or later) without delay.